[tor-relays] Again: abuse email for non-exit relay (masergy)

[Roger Dingledine]

On Sun, May 03, 2020 at 10:15:47PM +0200, lists at for-privacy.net wrote:
> Below is the information about the attack.  Keep in mind that the source IP
> of our client has been sanitized for anonymity.
> 
> Date: 04/30/2020
> Time: 11:05:37
> Time Zone: America/Chicago
> Source(s): 37.157.255.118
> Type of Attack/Scan: Generic
> Hosts: 10.10.10.182
> Log:
> 
> 37.157.255.118:9002 > 10.10.10.182:24562

The person sending you this abuse complaint is deeply confused. My guess
is that they are running some automated "attack detector" software, and
the software is buggy and telling them things that are wrong.

If your relay were making connections to their user, it would not be
using port 9002. It would be using some high-numbered port for the
outgoing connection.

So what's likely happening here instead is that *their* user is contacting
*your* relay -- that is, the person they call "our client" is a Tor user
using your relay -- but their automated attack detector is not seeing the
initial connection from their user to your relay, and it's misinterpreting
the response from your relay to the user as an outgoing connection.

I get these sort of automated abuse complaints a few times a year to
moria1, my directory authority, and in many cases it's people running a
Tor client or relay somewhere, and that somewhere's ISP really wants me
to stop "attacking" their user, when actually what's happening is that
their user contacts my relay a lot.

So in summary: there is nothing to fix, because the complaint is wrong
about what's going on.

Whether you should respond depends on whether you need to answer your
own hosting provider to keep them happy, and/or whether you want to try
to engage with the stranger on the internet who doesn't yet understand
that their own reporting software is buggy. :)

Hope that helps,
--Roger